Backup and Restore Tor Onion Service Keys

A v3 Tor onion service uses three key files stored in the hidden service directory (typically /var/lib/tor/hidden_service/):

• hs_ed25519_secret_key — The master private key that derives your .onion address. This is the most critical file. If compromised, an attacker can impersonate your service.
• hs_ed25519_public_key — The corresponding public key. Can be regenerated from the secret key but is convenient to keep.
• hostname — A text file containing your .onion address. This is derived from the public key and can always be regenerated.

The hs_ed25519_secret_key file is only 96 bytes but it is the single most important file in your entire Tor hidden service deployment. Losing it means losing your .onion address permanently. Having it stolen means someone else can publish descriptors for your address and redirect your traffic.

Always encrypt onion key backups before transferring or storing them anywhere. Use GPG with a strong passphrase:

# Create an encrypted backup of onion keys
cd /var/lib/tor/hidden_service/
tar czf - hs_ed25519_secret_key hs_ed25519_public_key hostname | \
  gpg --symmetric --cipher-algo AES256 -o /tmp/onion-keys-backup.tar.gz.gpg

# You will be prompted for a passphrase — use a strong one
# Store the passphrase separately from the backup

# Transfer the encrypted backup to a secure location
# Option 1: Copy to an encrypted USB drive
cp /tmp/onion-keys-backup.tar.gz.gpg /media/usb/

# Option 2: Transfer via Tor to another server
torsocks scp /tmp/onion-keys-backup.tar.gz.gpg \
  [email protected]:/backups/

# Clean up the temporary file
shred -u /tmp/onion-keys-backup.tar.gz.gpg

Store backups in at least two geographically separate locations. Never store unencrypted keys on cloud storage, in Git repositories, or on any system accessible from the internet. The shred command securely deletes the temporary file by overwriting it before removal.

To restore your .onion address on a new server, install Tor, create the hidden service directory with correct permissions, and restore the key files:

# On the new server, install Tor
apt install -y tor

# Create the hidden service directory
mkdir -p /var/lib/tor/hidden_service/
chown debian-tor:debian-tor /var/lib/tor/hidden_service/
chmod 700 /var/lib/tor/hidden_service/

# Decrypt and restore the backup
gpg --decrypt /path/to/onion-keys-backup.tar.gz.gpg | \
  tar xzf - -C /var/lib/tor/hidden_service/

# Fix permissions
chown debian-tor:debian-tor /var/lib/tor/hidden_service/*
chmod 600 /var/lib/tor/hidden_service/hs_ed25519_secret_key
chmod 644 /var/lib/tor/hidden_service/hs_ed25519_public_key
chmod 644 /var/lib/tor/hidden_service/hostname

# Configure torrc and restart Tor
systemctl restart tor

# Verify — the same .onion address should appear
cat /var/lib/tor/hidden_service/hostname

Permissions are critical — Tor will refuse to start if the hidden service directory is not owned by the Tor user with mode 700, and if the secret key is readable by other users. After restoration, verify that the .onion address matches your original address by checking the hostname file.

AnubizHost managed Tor hosting includes automated encrypted backups of your onion service keys. We store encrypted copies in geographically distributed locations, ensuring your .onion address survives any single point of failure. You can also download encrypted backups at any time through our Tor-accessible control panel.

With offshore servers in Iceland, Romania, and Finland, your hidden service keys are protected by both strong encryption and privacy-friendly legal jurisdictions. Pay with Bitcoin, Monero, or other cryptocurrencies — no KYC required. If you ever need to migrate to a different server, our team handles key restoration seamlessly.